The data, analysed by niche litigation practice Griffin Law, revealed that a total of 3,017 people were potentially affected by personal data-related incidents between January 2020 and March 2021.
One case in the last year saw a member of HMRC staff misuse their position to access personal information in contravention of HMRC policy, on the 11th March 2021. The staff member was dismissed.
Additionally, a locked pedestal desk belonging to HMRC was forced open during an office relocation, resulting in personal identifiers such as ethnic origin and religious beliefs being exposed.
A number of other personal data-related breaches were revealed, but were not required to be reported to the Information Commissioner, instead being recorded centrally within the department.
HMRC stated in its report that the body has learnt lessons from the incidents, and are using them to review and strengthen its customer identity and authentication process.
In spite of the breaches, HMRC stated in the report: “Protecting customer data is important to us and we monitor our processes continually to prevent recurrences.
“In addition, HMRC is delivering enhanced data security, governance and reporting across the department.”
An HMRC spokesperson said: “We take the protection of our customers’ information extremely seriously and continually monitor our systems and data to make sure that information is safe.
“In some of these incidents, customer accounts were accessed using personal data that criminals could have obtained through a variety of methods, including breaches of other organisations’ security. We have established processes for when a customer record is affected by fraudulent activity by a criminal third party.
“We deal with millions of customers every year and tens of millions of paper and electronic interactions. Security and privacy are at the heart of our work. We investigate all security incidents, taking immediate action to reduce the possibility of recurrence.”
According to HMRC, in incidents listed in the Annual Report, customer accounts were accessed using personal data that criminals will have obtained through a variety of methods, including breaches of other organisations’ security.
The governmental department has told Information Age that processes for when a customer record is affected by fraudulent activity by a criminal third party have been established, and it investigates what has been affected on the record and correct it.
HMRC continued: “We then send a letter to the customer explaining that there has been an attempted fraud using their details, confirming that they haven’t suffered any financial losses and that their record has been corrected.
“We also constantly monitor and review our security measures, strengthening them where required.”
Understanding the journey of breached customer data
Donal Blaney, founder of Griffin Law, commented: “HMRC wields draconian powers, and is increasingly out of control. This is further evidence that HMRC needs to be reined in.
“They think they’re above the law. They’re not. Such abuse of its powers, and such criminality, should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers are to retain any confidence in HMRC.”
Security specialist Edward Blake, area vice-president EMEA at Absolute Software, added: “HMRC stores and manages countless quantities of sensitive data on a daily basis. This marks HMRC and similar public sector organisations and large institutions as prime targets on the radar of opportunistic cyber attackers.
“Large organisations and governmental departments must be privy to this fact, and employ the right protection and security tools to protect customers’ data which is at risk.
“Today there are more access points than ever before for the cyber criminal, and organisations must defend against all possible angles. This includes protecting everything from firmware and devices, to apps and network connections.
“Adopting ‘Zero Trust’ protocols is one of the most effective ways of stopping bad actors in their tracks, and ensuring that a breach in the system does not necessarily equate to a breach of data. Also, leveraging self-healing technologies to detect and repair unhealthy applications and connections for optimal security and experience is key to boosting network and application security, and negating risk.”
*This article has been updated as of 16:39 on the 13th December 2021, following further information from HMRC.